masslogger | 49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f

General

Target

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
Size

890KB
MD5

b2c340361e2a492f87cdd5c20b0300b9
SHA1

d43e2922e7cec5929d98c61f5d01034a567b40ff
SHA256

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f
SHA512

15d8f461edad3213ced69c7631ada63116d34f0d5d8b776c654dc602de8b39c672017eb7c69d5d704684b31c56fd1aabb0c5bfb3d17d0228123d894cdd4b7cf4

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3792-140-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org

flow	ioc
34	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

description	pid	process	target process
PID 4808 set thread context of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

pid	process
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
3792	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
3792	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

description	pid	process
Token: SeDebugPrivilege	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
Token: SeDebugPrivilege	3792	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
"C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
  "C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe"
  2⤵
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
  "C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe"
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
  "C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe"
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
  "C:\Users\Admin\AppData\Local\Temp\49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-136-0x0000000000000000-mapping.dmp

Download
memory/2344-138-0x0000000000000000-mapping.dmp

Download
memory/3792-139-0x0000000000000000-mapping.dmp

Download
memory/3792-140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4808-130-0x00000000008B0000-0x0000000000994000-memory.dmp

Filesize
912KB

Download
memory/4808-131-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/4808-132-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/4808-133-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4808-134-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/4808-135-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/5020-137-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4808 wrote to memory of 1524	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 1524	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 1524	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 5020	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 5020	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 5020	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 2344	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 2344	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 2344	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe
PID 4808 wrote to memory of 3792	4808	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe	49a3c92fab71efc302c61b68c9286cab4e867bb296a1b6178a2aa0f7a614509f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads